The long-awaited system, which launched last week, sends a six-digit numeric code via SMS to a user's registered mobile phone number. The code must be used to log into a Twitter account.

Surely, any Twitter security control improvements are good news, right? Unfortunately, early feedback has been less than positive. "Twitter's first run at this just seems like a hot mess," tweeted
Sean Sullivan, security adviser at F-Secure Labs, citing usability and recoverability issues.

Accordingly, weigh these five related problems before deciding to activate the new security feature:

1. Don't Lose Your Mobile Phone

What happens if Twitter users lose their mobile phone and can't receive the SMS credential? So far, the answer doesn't look good: Twitter's password-reset system still requires a user who has activated two-factor authentication to enter an SMS-sent PIN code before being allowed to change the password. Unlike Google, which lets users print out one-time codes -- in the event that their mobile phone is lost or stolen, or they're traveling and don't have cellular network connectivity -- Twitter offers no backup approach.

2. The System Doesn't Allow Activations For Incompatible Carriers

Not all carriers' networks are compatible with Twitter's two-step verification feature. Twitter has said compatibility will increase over time.

But some two-step verification users have reported being able to add two-factor authentication to their account, but then not receiving the SMS PIN code they needed to access their account, because their mobile telecom carrier doesn't yet support Twitter's system. In other words, they've locked themselves out of their Twitter account.

Getting stuck in that situation is possible because of Twitter's two-step-verification setup process, which asks a user to click yes/no on whether they've received a confirmation SMS from the company to confirm that their carrier is compatible with the system. But if a user incorrectly or accidentally selects "yes" but hasn't actually received the verification SMS, then their account will be secured using a credential they can't receive. In other words, they'll need to contact Twitter's support team and prove who they are in order to try to deactivate the two-factor authentication and regain access to their account.

A simple, well-known fix would prevent these types of situations from happening. "You shouldn't be able to [activate] SMS 2-factor w/ entering a code send via SMS," tweeted Sullivan. The fact that Twitter didn't opt for that approach -- as many other businesses offering two-factor authentication have done -- suggests Twitter's two-step verification effort is a rush job.

3. One Mobile Phone Secures Only One Account

People with more than one Twitter account must also decide which single account to protect using two-step verification, unless they also have more than one mobile phone number. That's because Twitter allows a mobile phone number to be associated with only a single Twitter handle. As software architect Troy Hunt tweeted: "Looks like you can only do Twitter 2FA with one account per mobile number. That totally sucks." For comparison's sake, authenticator apps from Google and Microsoft allow one-time codes to be generated for any number of registered accounts, and many SMS-based services allow the same mobile phone number to be used with more than one account.

4. For Group Accounts, No Syrian Electronic Army Defense

Twitter's login security model has been criticized after a rash of online account takeovers, including the Syrian Electronic Army's hoax Associated Press tweet claiming that President Obama had been injured in White House bomb blasts.

The new two-step verification feature won't block group account takeovers of media outlets' Twitter feeds, because one account must be tied to one mobile phone number. "TFA isn't going to help these companies, because they can't all access the same phone at the same time," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

"Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to 'own' the phone -- and share the six-digit code with journalists as they try to log in to share breaking news stories," Cluley said. Given those kludgy workarounds, "many media organizations may choose not to enable Twitter's additional security at this time," he said.

Instead, he has argued, Twitter should implement a system whereby usernames are no longer the same as a person's Twitter handle. That way, handles can be public but usernames and passwords can be kept secret. Until that happens, Sullivan tweeted, "adding 2-factor authentication to a leaky 'social' ship seems like putting the cart in front of the horse."

Thanks for this informative article. I had just enabled the Two-Factor Twitter option, but clearly didn't think through the implications. After reading this article, I've gone back in and unchecked the option.

I reached here while searching for methods to regain access to my account. I am stuck with situation no. 1, I recently relocated to a different country and don't have cellular coverage on my old phone number. I can't find any way to contact twitter support either. Please share if you come up with some solution.

There's another reason to avoid this - if you give your mobile number to Twitter for authentication, they can send you marketing texts and allow others to find you on Twitter who know your number - see http://blog.kuan0.com/2013/06/...